Axe TCP_RESTRICT_RST. It was never a particularly good idea except for a few

very specific scenarios, and now that we have had net.inet.tcp.blackhole for
quite some time there is really no reason to use it any more.

(first of three commits)

2 files changed, 0 insertions, 9 deletions

diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index 52f32ed..6dd2f65 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -590,19 +590,11 @@ options 	TCPDEBUG
 options		ACCEPT_FILTER_DATA
 options		ACCEPT_FILTER_HTTP
 
-# The following options add sysctl variables for controlling how certain
-# TCP packets are handled.
-#
 # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
 # prevents nmap et al. from identifying the TCP/IP stack, but breaks support
 # for RFC1644 extensions and is not recommended for web servers.
 #
-# TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets.
-# This is useful on systems which are exposed to SYN floods (e.g. IRC servers)
-# or any system which one does not want to be easily portscannable.
-#
 options 	TCP_DROP_SYNFIN		#drop TCP packets with SYN+FIN
-options 	TCP_RESTRICT_RST	#restrict emission of TCP RST
 
 # DUMMYNET enables the "dummynet" bandwidth limiter. You need
 # IPFIREWALL as well. See the dummynet(4) manpage for more info.
diff --git a/sys/conf/options b/sys/conf/options
index e848c50..0878dad 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -278,7 +278,6 @@ SLIP_IFF_OPTS		opt_slip.h
 TCP_COMPAT_42		opt_compat.h
 TCPDEBUG
 TCP_DROP_SYNFIN		opt_tcp_input.h
-TCP_RESTRICT_RST	opt_tcp_input.h
 XBONEHACK
 
 # Netgraph(4). Use option NETGRAPH to enable the base netgraph code.